Is there any real reason to use IE at all, for the average user? My bank rolled out a new version of their site last week that only worked in Chrome (they quickly rolled it back...why didn't they at least test it in IE and FF?). So even bureaucratic behemoths don't seem to consider IE the standard browser any more...

Is there any real reason to use IE at all, for the average user? My bank rolled out a new version of their site last week that only worked in Chrome (they quickly rolled it back...why didn't they at least test it in IE and FF?). So even bureaucratic behemoths don't seem to consider IE the standard browser any more...

I wouldn't use an example of incompetence as support for IE being worthless. Regardless, IE11 is a really good browser and can legitimately make the claim that it is the best browser. Sure, I still prefer Chrome (it's still slightly better for developing in), but I no longer look at people who use it with scorn and derision because it's actually not shit now.

What I don't get is why the people the found the exploit aren't waiting for next year to use it. I mean if they kept quiet and flooded the market after XP went out of extended support I doubt Microsoft security would of bothered to take a 2nd look.

What I don't get is why the people the found the exploit aren't waiting for next year to use it. I mean if they kept quiet and flooded the market after XP went out of extended support I doubt Microsoft security would of bothered to take a 2nd look.

Well it also targets Win7. And of course it depends on the organization you are targeting.

What I don't get is why the people the found the exploit aren't waiting for next year to use it. I mean if they kept quiet and flooded the market after XP went out of extended support I doubt Microsoft security would of bothered to take a 2nd look.

Well it also targets Win7. And of course it depends on the organization you are targeting.

Also, I think a lot of people are already migrating away from XP, I know I will be taking the last XP's machines I have down and moving them to something else.

have to wonder whether it's ms themselves putting out these 0days... since the common refrain seems to be to upgrade, which of course means profit for them. sure, i'd love to see more people get off xp and onto at least vista or w7, but i know it won't happen till those xp machines simply die and don't get repaired.

as for upgrades, your average home users typically never upgrade till they buy a whole new machine, and enterprise can't just upgrade on a whim like this. i know it took us a year of planning, building, testing and all that before we even started the pilot for win7. we aren't even considering upgrading to 8/8.1 any time soon - we just finished upgrading everyone to win7 this past summer. and i doubt my office is atypical in that respect. we're a medium-large international lawfirm.

There's still lots of companies that use it as the de facto browser for their users - as shortsighted as that might be from a security standpoint. Most of the people reading these comments would have FF or Chrome or some other browser for their own use, but a ton of people at those companies will just use what they've been given and that'll be I.E. x.x - and of course their IT departments will have user security update privileges locked down as well.

Hopefully Microsoft can get something out relatively quickly to squash the new browser 0 day.

What I don't get is why the people the found the exploit aren't waiting for next year to use it. I mean if they kept quiet and flooded the market after XP went out of extended support I doubt Microsoft security would of bothered to take a 2nd look.

The attackers have an endless list of zero day exploits. No reason to wait.

You just have to wonder how many 0 days there are? It seems endless. With the arrival of CryptoLocker, I've started hardening my clients' networks greater than ever before. These new 0 days would be an effective transmission vector for CryptoLocker.

I've installed Sandboxie for a number of clients, disabled "hide extensions for known file types" (and explained what to look for when saving attachments, installed Chrome, MalwareBytes in realtime mode (paid version), demote user creds, apply GPOs to disallow EXE launching from the profile, and anything else I can think of.

I use it every day on my Surface 2. It's a far nicer browser than you give it credit. There's even some adblocking and tracking blocking extensions now. I don't know if anyone made the proper comparison or not, but IE11 on the original Surface RT is a noticeably smoother experience than mobile Chrome on the original Nexus 7. Both ran on Tegra 3 hardware and pushed a similar amount of pixels, and IE has full Flash support.

You just have to wonder how many 0 days there are? It seems endless. With the arrival of CryptoLocker, I've started hardening my clients' networks greater than ever before. These new 0 days would be an effective transmission vector for CryptoLocker.

I've installed Sandboxie for a number of clients, disabled "hide extensions for known file types" (and explained what to look for when saving attachments, installed Chrome, MalwareBytes in realtime mode (paid version), demote user creds, apply GPOs to disallow EXE launching from the profile, and anything else I can think of.

Hiding file extensions is the stupidest "feature" ever. Runner up is the icon view of directory contents.

I use it every day on my Surface 2. It's a far nicer browser than you give it credit. There's even some adblocking and tracking blocking extensions now. I don't know if anyone made the proper comparison or not, but IE11 on the original Surface RT is a noticeably smoother experience than mobile Chrome on the original Nexus 7. Both ran on Tegra 3 hardware and pushed a similar amount of pixels, and IE has full Flash support.

I assume he meant on the desktop, but IMO Internet Explorer 11 is by a large margin the best tablet browser available.

As is often the case, the attacks can be blocked by installing the latest version of Microsoft EMET, short for the Enhanced Mitigation Exploitation Toolkit. Members of Microsoft's security response team have not yet commented on the report, although they are likely to do so soon. Microsoft representatives contacted by Ars didn't have an immediate comment on the FireEye report.

When is Microsoft finally going to realize they should just ship EMET by default with every version of Windows? It even comes with a list of commonly used applications that would cover the vast majority of software that people use.

I use it on all of my machines and I regularly recommend it to anyone who cares about system security. Inevitably, the first thing they ask me after I tell them about EMET is; "Why doesn't Microsoft just have it installed already with the OS?"

As is often the case, the attacks can be blocked by installing the latest version of Microsoft EMET, short for the Enhanced Mitigation Exploitation Toolkit. Members of Microsoft's security response team have not yet commented on the report, although they are likely to do so soon. Microsoft representatives contacted by Ars didn't have an immediate comment on the FireEye report.

When is Microsoft finally going to realize they should just ship EMET by default with every version of Windows? It even comes with a list of commonly used applications that would cover the vast majority of software that people use.

I use it on all of my machines and I regularly recommend it to anyone who cares about system security. Inevitably, the first thing they ask me after I tell them about EMET is; "Why doesn't Microsoft just have it installed already with the OS?"

I always have to answer that question with a shrug.

I wonder if that decision was made in anticipation of enterprise customers. Perhaps there was some pushback from some of Microsoft's larger customers due to some incompatibilities with existing software.

That is a reason a number of outfits were still using IE6 long after its practical life--their custom software would have required rewriting to upgrade..

As is often the case, the attacks can be blocked by installing the latest version of Microsoft EMET, short for the Enhanced Mitigation Exploitation Toolkit. Members of Microsoft's security response team have not yet commented on the report, although they are likely to do so soon. Microsoft representatives contacted by Ars didn't have an immediate comment on the FireEye report.

When is Microsoft finally going to realize they should just ship EMET by default with every version of Windows? It even comes with a list of commonly used applications that would cover the vast majority of software that people use.

I use it on all of my machines and I regularly recommend it to anyone who cares about system security. Inevitably, the first thing they ask me after I tell them about EMET is; "Why doesn't Microsoft just have it installed already with the OS?"

I always have to answer that question with a shrug.

This is almost certainly because EMET can potentially cause problems with third party programs and Microsoft doesn't want to be responsible for supporting another vendor's product.

I do wish they'd bring all the EMET protection mechanisms into supported Windows versions through a service pack so at least things like IE could opt in without requiring EMET.

As is often the case, the attacks can be blocked by installing the latest version of Microsoft EMET, short for the Enhanced Mitigation Exploitation Toolkit. Members of Microsoft's security response team have not yet commented on the report, although they are likely to do so soon. Microsoft representatives contacted by Ars didn't have an immediate comment on the FireEye report.

When is Microsoft finally going to realize they should just ship EMET by default with every version of Windows? It even comes with a list of commonly used applications that would cover the vast majority of software that people use.

I use it on all of my machines and I regularly recommend it to anyone who cares about system security. Inevitably, the first thing they ask me after I tell them about EMET is; "Why doesn't Microsoft just have it installed already with the OS?"

I always have to answer that question with a shrug.

This is almost certainly because EMET can potentially cause problems with third party programs and Microsoft doesn't want to be responsible for supporting another vendor's product.

I do wish they'd bring all the EMET protection mechanisms into supported Windows versions through a service pack so at least things like IE could opt in without requiring EMET.

IIRC, all the protections you can add through EMET, are capable of being added through a combination of regedits, Local Group Policy and system settings.

The attackers embedded the exploit code directly "into a strategically important website, known to draw visitors that are likely interested in national and international security policy," the researchers wrote.

Ummm, so why don't they tell us what this infected website is so people don't go visit the site and get infected...?

Is there any real reason to use IE at all, for the average user? My bank rolled out a new version of their site last week that only worked in Chrome (they quickly rolled it back...why didn't they at least test it in IE and FF?). So even bureaucratic behemoths don't seem to consider IE the standard browser any more...

Lots of workplaces still mandate IE.

Also, pity poor Danes, who pretty much have to use IE (with Java, for pity's sake) to reliably do any official/banking related stuff. Their "ebox" system doesn't work properly in other browsers most of the time, so is a complete security nightmare. Not even the WWII spy feel of having an almost one-time pad to carry around as your second auth factor offsets the irritation.

Is there any real reason to use IE at all, for the average user? My bank rolled out a new version of their site last week that only worked in Chrome (they quickly rolled it back...why didn't they at least test it in IE and FF?). So even bureaucratic behemoths don't seem to consider IE the standard browser any more...

Lots of workplaces still mandate IE.

Also, pity poor Danes, who pretty much have to use IE (with Java, for pity's sake) to reliably do any official/banking related stuff. Their "ebox" system doesn't work properly in other browsers most of the time, so is a complete security nightmare. Not even the WWII spy feel of having an almost one-time pad to carry around as your second auth factor offsets the irritation.

Many corporations still use IE since many of their internal sites and portals were built and tested on IE. Regardless, even other traditional browsers such as Chrome and Safari experience similar problems, since the inherent problem lies in the fact that the browser is local to the machine which is browsing the Internet. So if you visit similar sites which have been hacked and implanted with malware, the possibility of becoming infected exists in those browsers as well. This particular instance though definitely has an additional level of complexity to it.It is inevitable that people will visit infected sites. The best solution to this would be to keep the browser totally off the local machine- A virtualized browser, such as Spikes' AirGap is a viable solution to such a problem.